In a recent interview, Ariana Lynn, Principal Analyst at The Fast Mode spoke to Éric Leblond, Chief Technology Officer and Co-Founder of Stamus Networks on the impact of traffic visibility on modern IP networks. Éric joins us in a series of discussions with leading networking, analytics and cybersecurity companies, assessing the need for traffic filtering technologies that can deliver real-time, granular application awareness. The series explores how advanced analytics power various network functions amidst the rapid growth in traffic and applications.
Ariana: What are your views on open-source software for delivering visibility?
Éric: Critical for maintaining an effective cyber defense, organizations of all sizes should be monitoring their network for malicious threats and unauthorized activity.
Open-source network security monitoring tools, such as Suricata and Seek, can help defenders monitor their organization’s network for malicious activity and are freely available for anyone to use, modify, and distribute. Instead of relying on pre-built commercial security software, open-source tools offer a different approach based on transparency, flexibility, customizability, and community collaboration.
This openness allows a broad community to contribute to its development while also tailoring the system for their own unique needs. The scale and diversity of the community can provide innovation at a scale that is simply unattainable by a single vendor or organization.
Open-source network security monitoring tools can be a very cost-effective option for many organizations because they eliminate the licensing costs associated with commercial security software, making it an attractive option for personal use or budget-conscious organizations.
Ariana: How effective is deep packet inspection (DPI) technology in addressing today’s traffic complexities?
Éric: Extremely effective. By passively monitoring actual network traffic, systems that use deep packet inspection (DPI) are able to extract the maximum information from the network communications. In addition, they do not depend upon external log sources and are not burdened with normalizing these prior to analysis.
In contrast, using only third-party flow records (such as NetFlow) for threat detection and response has severe limitations compared to a DPI approach. These include:
- Limited Visibility – Third-party flow records only capture metadata about network traffic, like source and destination IP addresses, port numbers, and packet volume. It cannot extract advanced metadata from the traffic and can certainly not view the actual content of the packets. This makes it blind to threats hiding within encrypted traffic or applications using custom protocols.
- No File Extraction – Third-party flow records lack the ability to identify and extract individual files or attachments from network traffic. It provides aggregate information on bytes transferred but doesn’t reveal the actual file structure or content.
- Limited Forensics Potential – Since third-party flow records don’t capture the actual packets, they are not suitable for generating PCAP (Packet Capture) records. PCAPs are crucial for forensic analysis, as they contain a complete record of captured network traffic. With only third-party flow data, investigators lack the raw information to reconstruct events or identify specific malicious packets.
- Evasion Tactics – Malicious actors can exploit the limitations of third-party flow data. They can fragment data packets or tunnel malicious content within legitimate protocols to bypass flow-based detection.
Éric has more than 15 years of experience as co-founder and CTO of cybersecurity software companies and is an active member of the security and open-source communities. He has worked on the development of Suricata – the open-source network threat detection engine – since 2009, is a board member of OISF, and was a member of the Netfilter Core Team for the Linux kernel’s firewall layer. Éric resides in Escalles, France.
This interview is a part of The Fast Mode’s Traffic Visibility segment, featuring leading networking, analytics and cybersecurity companies and their views on the importance of network intelligence and DPI for today’s IP networks. A research report on this topic will be published in June 2024 – for more information, visit here.
This post was originally published on the 3rd party site mentioned in the title of this this site